CSOs in healthcare organizations know that the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law in February 2009, includes new privacy requirements that experts have called "the biggest change to the health care privacy and security environment since the original HIPAA privacy rule." These include:
- New requirements around managing Protected Health Information (PHI) information, including extending accountability from healthcare providers to their business associates;
- New federal rules for data breach notification, including specific notification thresholds, timelines and methods;
- Effective immediately, increased and sometimes mandatory penalties with maximum fines ranging from $25,000 to as much as $1.5 million.
No doubt, the HITECH Act raises the stakes for a data breach. But regulations aside, data breaches can hurt your organization's credibility and can carry huge medical and financial risks to the people whose data is lost. We've managed hundreds of data breaches and helped thousands of identity theft victims. Through this we've learned firsthand that compliance doesn't necessarily equal low risk for data breach. For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to securing PHI.
HITECH Compliance Beyond Prevention, Security Beyond IT
Organizations often think first of IT security measures to protect personal data, but we have found through working with healthcare organizations that most data breaches are linked to human error or process failure, rather than technology—a desktop computer with PHI was stolen, a data backup tape lost in transit, a web update wasn't thoroughly tested and left access open.
In fact, a recent study by PriceWaterhouseCoopers, CSO Magazine and CIO Magazine (The 2008 Global State of Information Security Study) found that only 5% of data breaches are caused by malicious cyber-attacks.
These incidents didn't result from lack of HIPAA compliance but rather from mistakenly thinking that compliance measures that had been taken were sufficient to prevent a data breach incident.
In 2008, 44% of breach incidents were due to third-party handling of data. With HITECH, organizations will now be held responsible for a third party's handling of your data. In fact, many of the healthcare-related data breaches in the news have been a result of lax security practices at a third-party service provider or to insider data theft. For example, a medical center used a courier to transport patient files and the files were lost somewhere in transit. The medical center was held accountable and financially responsible even if the courier was at fault.
Bottom line: effective privacy protection requires more than IT security and compliance.
Five Steps to HITECH Preparedness
It is likely that HIPAA compliance or a conversion to electronic medical records initiated new data security measures in your organization. However, with breach incidents on the rise and the new HITECH law, reviewing all aspects of PHI security and data breach readiness is paramount.
Here are the five steps we recommend to all healthcare organizations for addressing HITECH requirements and the increased threat of data breach:
- Do a risk-based assessment: The first step in your incident response plan should be to conduct a thorough, risk-based assessment of practices related to your PHI assets and their lifecycle. This includes creating an accurate inventory of the PII/PHI data you hold and all internal and external workflows where the information is used. It should identify PHI-specific risks in your IT systems but also in your organizational policies and processes. Finally, it should identify all business associates that have access to PHI for which you are responsible.
- Secure PHI, per guidelines: With your risk-based assessment and PHI inventory in hand, you must ensure that this information is "secured" through a technology or methodology specified by the Secretary of Health and Human Services (HHS) pursuant to the HITECH Act. This includes "de-identification" of personal data (i.e., ensuring that you provide only as much data as is required for each business process or function). For example, by changing member identification numbers from social security numbers to an assigned member ID, our healthcare clients often look to remove or obscure the social security number from their database records. Of course, encrypting these information systems is a very advisable means to reduce data breach risks. These actions can minimize damage in case of a data breach, protects patients, and helps you avoid breach notification requirements that apply to "unsecured PHI."
- Address Contracts and Processes: The HITECH Act requires contracts with your business associates to authorize and define their use of the PHI that is shared with them. Business associates can include healthcare organizations, industry service providers, payors, suppliers or any other organization with which you do business. A risk-based assessment tells you which associates pose the highest breach risk, enabling your legal team to prioritize contract revisions and your operations team to concentrate on strengthening high-risk processes. In a recent hospital breach managed by ID Experts, highly sensitive PHI was breached by a business associate that impacted the hospital's reputation.
Plan for Breach Detection: Under the HITECH Act, you must provide notification within 60 days when PHI in any form is breached, not just electronic records. The definition of "breach" now includes even incidental loss or exposure of single records or small amounts of personal information, as happened in the Nadya Suleman case where Kaiser was penalized $250K for a leak of medical information regarding her pregnancy with octuplets.Under the new rules, a breach is officially discovered on "the first day it is known & or should reasonably have been known." In the past, data breaches such as the United HealthCare breach have been discovered months or years after the fact, when victims began complaining of identity theft. Now failure to detect a breach can trigger penalties up to $1.5M. To ensure early breach detection, we recommend aggressive, ongoing monitoring programs that may range from IT audits to checking patient health records for inconsistencies.
Plan for Breach Response: Under HITECH, notification requirements are more specific, and notification is required even for small-scale data breaches. (Editor's note: See also The Dos and Don'ts of Disclosure Letters.) You must also maintain meticulous records of all breach incidents, regardless of size, and report them to the Department of Health and Human Services (HHS), where they will become part of the public record. We have found that it is also helpful to have a solid working relationship with Attorneys General in those states where you serve patients since they will critically assess your compliance with notification requirements and whether there has been "willful neglect" on your part, which will lead to very stiff penalties.To meet HITECH requirements, a detailed breach response plan should be in place. Consider vendors who provide turnkey notification services, including call centers and postal mail, and has experience creating tailored notification and advisory services for breach victims with special needs, such age, mental health issues or physical disabilities. Remediation services for breach victims will help preserve public trust in your organization.
The new HITECH Act requirements will likely affect every aspect of your operations: business and healthcare processes; IT data security, retention, and monitoring; contracts and business relationships. With increasing risks, a better understanding of the compliance process will benefit your patients, your employees and your business. ##
Rick Kam is president and founder of ID Experts Corp.